user, type string; the user-string from --token-auth-file. If you specify user, it must match the username of the authenticated user.

group, type string; if you specify group, it must match one of the groups of the authenticated user. system:authenticated matches all authenticated requests. system:unauthenticated matches all unauthenticated requests.

Resource-matching properties:

apiGroup, type string; an API group.

Ex: extensions

Wildcard: * matches all API groups.

namespace, type string; a namespace.

Ex: kube-system

Wildcard: * matches all resource requests.

resource, type string; a resource type

Ex: pods

Wildcard: * matches all resource requests.

Non-resource-matching properties:

nonResourcePath, type string; non-resource request paths.

Ex: /version or /apis

Wildcard:

* matches all non-resource requests.

/foo/* matches all subpaths of /foo/.

readonly, type boolean, when true, means that the Resource-matching policy only applies to get, list, and watch operations, Non-resource-matching policy only applies to get operation.

Note:

An unset property is the same as a property set to the zero value for its type
(e.g. empty string, 0, false). However, unset should be preferred for
readability.

In the future, policies may be expressed in a JSON format, and managed via a
REST interface.

Authorization Algorithm

A request has attributes which correspond to the properties of a policy object.

When a request is received, the attributes are determined. Unknown attributes
are set to the zero value of its type (e.g. empty string, 0, false).

A property set to "*" will match any value of the corresponding attribute.

The tuple of attributes is checked for a match against every policy in the
policy file. If at least one line matches the request attributes, then the
request is authorized (but may fail later validation).

To permit any authenticated user to do something, write a policy with the
group property set to "system:authenticated".

To permit any unauthenticated user to do something, write a policy with the
group property set to "system:unauthenticated".

To permit a user to do anything, write a policy with the apiGroup, namespace,
resource, and nonResourcePath properties set to "*".

Kubectl

Kubectl uses the /api and /apis endpoints of api-server to negotiate
client/server versions. To validate objects sent to the API by create/update
operations, kubectl queries certain swagger resources. For API version v1
those would be /swaggerapi/api/v1 & /swaggerapi/experimental/v1.

When using ABAC authorization, those special resources have to be explicitly
exposed via the nonResourcePath property in a policy (see examples below):

/api, /api/*, /apis, and /apis/* for API version negotiation.

/version for retrieving the server version via kubectl version.

/swaggerapi/* for create/update operations.

To inspect the HTTP calls involved in a specific kubectl operation you can turn
up the verbosity: